7 Using Self Signed Certificates

Self signed certificates can be used for development environment for securing applications. The generic steps to be followed for creating self signed certificates and configuring for use for Oracle Retail application deployment are covered in the subsequent sections.

The following topics are covered in this chapter:

• Creating a Keystore through the Keytool in Fusion Middleware (FMW) 11g

• Exporting the Certificate from the Identity Keystore into a File

• Importing the Certificate Exported into trust.keystore

• Configuring WebLogic

• Configuring Nodemanager

• Importing Self Signed Root Certificate into Java Virtual Machine (JVM) Trust Store

• Disabling Hostname Verification

• Converting PKCS7 Certificate to x.509 Certificate

Creating a Keystore through the Keytool in Fusion Middleware (FMW) 11g

Perform the following steps to create a keystore through the keytool in Fusion Middleware (FMW) 11g:

1. Create a directory for storing the keystores.

   $ mkdir ssl

2. Run the following to set the environment:

   $ cd $MIDDLEWARE_HOME/user_projects/domains/<domain>/bin

   $ . ./setDomainEnv.sh

   Example:

   apphost2:[10.3.6_apps] /u00/webadmin/product/10.3.6/WLS/user_projects/domains/APPDomain/bin> . ./setDomainEnv.sh
   apphost2:[10.3.6_apps] /u00/webadmin/product/10.3.6/WLS/user_projects/domains/APPDomain>
   

3. Create a keystore and private key, by executing the following command:

   keytool -genkey -alias <alias> -keyalg RSA -keysize 2048 -dname <dn> -keypass <password> -keystore <keystore> -storepass <password> -validity 365
   

   Example:

   apphost2:[10.3.6_apps] /u00/webadmin/ssl> keytool -genkey -alias apphost2 -keyalg RSA -keysize 2048 -dname "CN=<Server Name>,OU=<Organization Unit>, O=<Organization>,L=<City>,ST=<State>,C=<Country>" -keypass <kpass> -keystore /u00/webadmin/ssl/apphost2.keystore -storepass <spass> -validity 365
    
   apphost2:[10.3.6_apps] /u00/webadmin/ssl> ls -ltra
   total 12
   drwxr-xr-x 18 webadmin dba 4096 Apr  4 05:31 ..
   -rw-r--r--  1 webadmin dba 2261 Apr  4 05:46 apphost2.keystore
   drwxr-xr-x  2 webadmin dba 4096 Apr  4 05:46 .
   apphost2:[10.3.6_apps] /u00/webadmin/ssl>
   

Exporting the Certificate from the Identity Keystore into a File

Perform the following steps to export the certificate from the identity keystore into a file (for example, pubkey.cer):

1. Run the following command:

   $ keytool -export -alias selfsignedcert -file pubkey.cer -keystore identity.jks -storepass <password>

   Example:

   apphost2:[10.3.6_apps] /u00/webadmin/ssl> keytool -export -alias apphost2 -file /u00/webadmin/ssl/pubkey.cer -keystore /u00/webadmin/ssl/apphost2.keystore -storepass <spass>
   Certificate stored in file </u00/webadmin/ssl/ropubkey.cerot.cer>
   apphost2:[10.3.6_apps] /u00/webadmin/ssl> ls -l
   total 8
   -rw-r--r-- 1 webadmin dba 2261 Apr  4 05:46 apphost2.keystore
   -rw-r--r-- 1 webadmin dba  906 Apr  4 06:40 pubkey.cer
   apphost2:[10.3.6_apps] /u00/webadmin/ssl>
   

Importing the Certificate Exported into trust.keystore

Perform the following steps to import the certificate you exported into trust.keystore:

1. Run the following command:

   $ keytool -import -alias selfsignedcert -trustcacerts -file pubkey.cer -keystore trust.keystore -storepass <password>

   Example:

   apphost2:[10.3.6_apps] /u00/webadmin/ssl> keytool -import -alias apphost2 -trustcacerts -file pubkey.cer -keystore trust.keystore -storepass <spass>
   Owner: CN=apphost2, OU=<Organization Unit>, O=<company>,L=<city>,ST=<state or province>, C=<country>
   Issuer: CN=apphost2, OU=<Organization Unit>, O=<company>,L=<city>,ST=<state or province>, C=<country>
   Serial number: 515d4bfb
   Valid from: Thu Apr 04 05:46:35 EDT 2013 until: Fri Apr 04 05:46:35 EDT 2014
   Certificate fingerprints:
            MD5:  AB:FA:18:2B:BC:FF:1B:67:E7:69:07:2B:DB:E4:C6:D9
            SHA1: 2E:98:D4:4B:E0:E7:B6:73:55:4E:5A:BE:C1:9F:EA:9B:71:18:60:BB
            Signature algorithm name: SHA1withRSA
            Version: 3
   Trust this certificate? [no]:  yes
   Certificate was added to keystore
   apphost2:[10.3.6_apps] /u00/webadmin/ssl>
   

Configuring WebLogic

You need to enable SSL for WebLogic server's Admin and managed servers by following the steps as provided in Configuring the Application Server for SSL section.

Configuring Nodemanager

You need to secure the Node manager by following the steps in Securing Nodemanager with SSL Certificates section.

Importing Self Signed Root Certificate into Java Virtual Machine (JVM) Trust Store

In order for the Java Virtual Machine (JVM) to trust in your newly created certificate, import your custom certificates into your JVM trust store.

Perform the following steps to import the root certificate into JVM Trust Store:

1. Ensure that JAVA_HOME has been already set up.

2. Run the following command:

   $keytool -import -trustcacerts -file rootCer.cer -alias selfsignedcert -keystore cacerts

   Example:

   apphost2:[10.3.6_apps] /u00/webadmin/product/jdk1.1.7_30.64bit/jre/lib/security> keytool -import -trustcacerts -file /u00/webadmin/ssl/root.cer -alias apphost2 -keystore /u00/webadmin/product/jdk1.6.0_30.64bit/jre/lib/security/cacerts -storepass [spass default is changeit]
   Owner: CN=apphost2, OU=<Organization Unit>, O=<company>,L=<city>,ST=<state or province>, C=<country>"
   Issuer: CN=apphost2, OU=<Organization Unit>, O=<company>,L=<city>,ST=<state or province>, C=<country>"
   Serial number: 515d4bfb
   Valid from: Thu Apr 04 05:46:35 EDT 2013 until: Fri Apr 04 05:46:35 EDT 2014
   Certificate fingerprints:
            MD5:  AB:FA:18:2B:BC:FF:1B:67:E7:69:07:2B:DB:E4:C6:D9
            SHA1: 2E:98:D4:4B:E0:E7:B6:73:55:4E:5A:BE:C1:9F:EA:9B:71:18:60:BB
            Signature algorithm name: SHA1withRSA
            Version: 3
   Trust this certificate? [no]:  yes
   Certificate was added to keystore
   apphost2:[10.3.6_apps] /u00/webadmin/product/jdk1.6.0_30.64bit/jre/lib/security>
   

Disabling Hostname Verification

This section has been covered under Disabling Hostname Verification section.

Converting PKCS7 Certificate to x.509 Certificate

Certificate authorities provide signed certificates of different formats. However, not all formats of certificates can be imported to Java based keystores. Hence the certificates need to be converted to usable form. Java based Keystores supports x.509 format of certificate.

The following example demonstrates converting certificate PKCS 7 to x.509 format:

1. Copy the PKCS 7 certificate file to a Windows desktop.

2. Rename the file and provide .p7b extension.

3. Open the .p7b file.

4. Click the plus ( + ) symbol.

5. Click the Certificates directory.

   An Intermediary certificate if provided by CA for trust.

   
   

   Note: If an Extended Validation certificate is being converted you should see three files. The End Entity certificate and the two EV intermediate CA's.

   
   

6. Right click on your certificate file.

7. Select All Tasks > Export.

8. Click Next.

9. Select Base-64 encoded X.509 (.cer) > click Next.

10. Browse to a location to store the file.

11. Enter a File name.

    For example, MyCert. The .cer extension is added automatically.

12. Click Save.

13. Click Next.

14. Click Save.

The certificate can be now imported into java based keystores.

Example:

apphost1:[10.3.6_apps] /u00/webadmin/ssl> keytool -import -trustcacerts -alias apphost1 -file /u00/webadmin/ssl/cert-x509.cer -keystore /u00/webadmin/product/jdk/jre/lib/security/cacerts
Enter keystore password: [default is changeit]
Certificate was added to keystore
apphost1:[10.3.6_apps] /u00/webadmin/ssl>